Cursor 2.2 introduces revolutionary multi-agent workflows, Visual Editor, and Debug Mode. But IDEsaster vulnerabilities reveal that all AI coding tools—Cursor, Windsurf, Copilot—have dangerous security flaws. Here’s what you need to know.
The Best Week and Worst Week for AI Coding Tools
December 2025 delivered the most significant—and most contradictory—news in AI coding tool history.
On one hand: Cursor 2.2 dropped with game-changing features including 8 parallel AI agents, a Visual Editor that bridges design and code, and a Debug Mode that automatically instruments your code to find bugs.
On the other hand: Security researcher Ari Marzouk disclosed IDEsaster—a collection of 30+ vulnerabilities across Cursor, Windsurf, GitHub Copilot, and other AI coding tools that enable data exfiltration and remote code execution.
The promise and the peril of AI-assisted development have never been clearer.
Cursor 2.2: What’s New
Multi-Agent Workflows
The headline feature of Cursor 2.2 is multi-agent judging—the ability to run up to 8 AI agents in parallel on the same prompt, each working in an isolated copy of your codebase.
| Feature | Specification |
|---|---|
| Parallel Agents | Up to 8 agents simultaneously |
| Isolation | Each agent works in isolated copy (git worktrees) |
| Auto-Judging | System evaluates all outputs, recommends best solution |
| Explanation | Provides reasoning for why one solution is preferred |
Why This Matters:
Instead of running one prompt and hoping for the best, you can now explore multiple approaches simultaneously. The agent evaluates outputs and recommends which solution best addresses your requirements.
This is particularly powerful for:
- – Complex refactoring with multiple valid approaches
- – Debugging where root cause is unclear
- – Feature implementation with design trade-offs
Visual Editor
Cursor 2.2 introduces a Visual Editor that turns your IDE into a web design studio:
| Capability | Description |
|---|---|
| Drag-and-drop | Rearrange DOM elements visually |
| Component state | Test React props in sidebar |
| Visual controls | Sliders, color pickers, design tokens |
| Point and prompt | Click element, describe changes in natural language |
| Design-to-code | Visual changes automatically update code |
The Visual Editor integrates Chrome DevTools-style inspection directly into the IDE. For front-end developers, this closes the loop between design tools and code editors—changes in the visual interface propagate to your codebase automatically.
Debug Mode
The most technically impressive feature is Debug Mode—an agent-driven debugging loop:
| Step | Action |
|---|---|
| 1. Describe bug | Tell the agent what’s wrong |
| 2. Hypothesize | Agent generates multiple root cause hypotheses |
| 3. Instrument | Agent adds runtime logging automatically |
| 4. Reproduce | You trigger the bug while agent collects data |
| 5. Analyze | Agent identifies root cause from runtime logs |
| 6. Fix | Agent proposes minimal, targeted fix |
| 7. Verify | You confirm fix works |
| 8. Cleanup | Agent removes all instrumentation |
Key capabilities:
- – Cross-stack and cross-language support
- – Works with GPT-5.2, Claude, and native Composer model
- – Generates step-by-step debugging traces
- – Proposes minimal fixes (often just a few lines)
This is debugging-as-a-service. Instead of manually adding console.log statements and tracing through code, the agent handles instrumentation, analysis, and fix proposal.
Plan Mode Improvements
Cursor 2.2 also upgrades Plan Mode:
| Enhancement | Description |
|---|---|
| Mermaid diagrams | Visual planning with inline diagrams |
| Task delegation | Send specific to-dos to new parallel agents |
| Visual streaming | Watch diagrams generate in real-time |
IDEsaster: The Security Time Bomb
Just as Cursor 2.2 celebrates AI coding advancement, security researcher Ari Marzouk (MaccariTA) disclosed IDEsaster—a class of 30+ vulnerabilities affecting every major AI coding tool.
What’s Affected
| Tool | CVE Examples | Status |
|---|---|---|
| Cursor | CVE-2025-49150, CVE-2025-54130, CVE-2025-61590 | Vulnerable |
| GitHub Copilot | CVE-2025-53773, CVE-2025-64660 | Vulnerable |
| Windsurf | Multiple CVEs | Vulnerable |
| Roo Code | CVE-2025-53097, CVE-2025-53536, CVE-2025-58372 | Vulnerable |
| Claude Code | Addressed with warnings | Partially mitigated |
How IDEsaster Works
The attack chain exploits three elements:
| Step | Vector | Description |
|---|---|---|
| 1 | Prompt Injection | Hidden characters, poisoned URLs, malicious MCP servers, or embedded instructions in project files hijack agent context |
| 2 | Auto-Approved Actions | AI agents execute read/write operations without user confirmation |
| 3 | Legitimate IDE Features | Once context is compromised, agent triggers built-in features to exfiltrate data or execute commands |
Example Attack Scenarios:
1. Data Exfiltration via JSON Schema:
– Agent is tricked into writing a JSON file with a `$schema` property pointing to attacker’s server
– IDE automatically fetches the remote schema
– Request includes sensitive data from the file
– No user interaction required
2. Remote Code Execution via Settings:
– Agent edits `.vscode/settings.json` or `.idea/workspace.xml`
– Points Python interpreter or executable paths to malicious scripts
– Next time user runs code, malicious script executes
– Full system compromise achieved
3. Malicious Workspace Injection:
– Attacker commits hidden instructions in repository files
– Agent reads these during normal operation
– Agent executes attacker’s commands thinking they’re legitimate
Why This Is Particularly Dangerous
The vulnerability class is called IDEsaster because it turns features into attack vectors:
| Feature | Legitimate Use | Weaponized Use |
|---|---|---|
| JSON Schema validation | Type checking | Data exfiltration |
| Settings files | IDE configuration | RCE via interpreter poisoning |
| File reading | Code analysis | Credential theft |
| External URLs | Documentation | Prompt injection delivery |
| MCP servers | Extended capabilities | Attack infrastructure |
The more capable your AI coding tool, the larger your attack surface.
The Chromium Problem
Adding to concerns, Cursor and Windsurf are built on Electron (Chromium-based) but use outdated Chromium versions. Security researchers found:
| Issue | Impact |
|---|---|
| 94 Chromium CVEs | Known vulnerabilities in browser engine |
| 1.8M developers affected | Combined user base |
| Memory safety bugs | Many with RCE potential |
The AI agent vulnerabilities compound with browser engine vulnerabilities—attackers have multiple entry points.
The Tension: Power vs. Safety
Cursor 2.2’s new features and IDEsaster represent opposite sides of the same coin:
| Feature | Power | Risk |
|---|---|---|
| Multi-agent workflows | Parallel problem solving | More agents = more attack surface |
| Visual Editor | Design-code unity | File modifications without explicit approval |
| Debug Mode | Automated instrumentation | Code modification by AI |
| Auto-approved actions | Speed and convenience | Security bypass |
The AI coding tool market faces a fundamental tension:
- – Developers want speed: Fewer confirmations, faster changes
- – Security requires friction: Confirmation dialogs, sandboxing, review
Cursor 2.2 optimizes for speed. IDEsaster shows the cost.
What You Should Do
If You Use AI Coding Tools
Immediate Actions:
| Action | Priority |
|---|---|
| Only open trusted projects | Critical |
| Review MCP server connections | Critical |
| Update your tools | High |
| Check for hidden file content | High |
| Review auto-approve settings | High |
Best Practices:
1. Treat AI agents as untrusted: They can be manipulated
2. Review external URLs: Hidden prompt injections are common
3. Sandbox sensitive work: Use VMs or containers for client projects
4. Monitor network traffic: Watch for unexpected outbound connections
5. Review settings changes: Check .vscode and .idea folders after AI edits
For Enterprise Teams
| Recommendation | Description |
|---|---|
| Require human confirmation | Configure tools to require approval for file changes |
| Allowlist MCP servers | Only permit known, trusted servers |
| Code review for AI changes | Treat AI-generated code as untrusted |
| Network monitoring | Flag unexpected external connections |
| Vendor assessment | Ask vendors about IDEsaster patching status |
Vendor Responses
| Vendor | Response |
|---|---|
| Cursor | CVEs assigned, patches pending |
| GitHub Copilot | CVEs assigned, patches pending |
| Claude Code | Added security warnings (not code fixes) |
| AWS | Security advisory AWS-2025-019 issued |
As of December 16, 2025, no vendor has fully patched all IDEsaster vulnerabilities. The attack class may require architectural changes, not just patches.
The Bottom Line
December 2025 shows AI coding tools at an inflection point:
The Good:
- – Cursor 2.2 is legitimately impressive
- – Multi-agent workflows could transform development
- – Debug Mode addresses a real pain point
- – Visual Editor bridges design and code
The Bad:
- – IDEsaster affects every major tool
- – 30+ CVEs across the ecosystem
- – Attack vectors are features, not bugs
- – Fundamental architecture may need rethinking
The Recommendation:
Use Cursor 2.2’s new features—they’re genuinely useful. But do so with security awareness:
- – Keep projects isolated
- – Review AI modifications
- – Stay updated on patches
- – Treat convenience features as risk surfaces
The AI coding revolution continues. So does the security reckoning.
FAQ
Is my code at risk right now?
Potentially, yes. If you open untrusted projects or connect to malicious MCP servers, IDEsaster vulnerabilities could be exploited.
Should I stop using AI coding tools?
No, but increase vigilance. Use trusted projects only and review AI modifications.
When will patches be available?
Vendors are working on fixes, but no complete patches are available as of December 16, 2025.
Does this affect Antigravity?
Antigravity is also Electron-based and likely affected by similar vulnerability classes. Check with the vendor for specific advisories.
Is Cursor 2.2 worth updating to?
Yes, the new features are significant. Just update your security practices alongside.